Researchers recently found at least 50 apps in the official Google Play market that made charges for fee-based services without the knowledge or permission of users. The apps were downloaded as many as 4.2 million times. Google quickly removed the apps after the researchers reported them, but within days, apps from the same malicious family were back and infected more than 5,000 devices.

The apps, all from a family of malware that security firm Check Point calls ExpensiveWall, surreptitiously uploaded phone numbers, locations, and unique hardware identifiers to attacker-controlled servers. The apps then used the phone numbers to sign up unwitting users to premium services and to send fraudulent premium text messages, a move that caused users to be billed. Check Point researchers didn't know how much revenue was generated by the apps. Google Play showed the apps had from 1 million to 4.2 million downloads.

Packing heat

ExpensiveWall—named after one of the individual apps called LovelyWall—used a common obfuscation technique known as packing. By compressing or encrypting the executable file before it's uploaded to Play, attackers can hide its maliciousness from Google's malware scanners. A key included in the package then reassembled the executable once the file was safely on the targeted device. Although packing is more than a decade old, Google's failure to catch the apps, even after the first batch was removed, underscores how effective the technique remains.

"While ExpensiveWall is currently designed only to generate profit from its victims, a similar malware could be easily modified to use the same infrastructure in order to capture pictures, record audio, and even steal sensitive data and send the data to a command and control (C&C) server," Check Point researchers wrote in a report scheduled to be published Thursday. "Since the malware is capable of operating silently, all of this illicit activity takes place without the victim's knowledge, turning it into the ultimate spying tool."

Even after Google removed the apps from Play, many phones will remain infected until users explicitly uninstall the malicious titles, Check Point researchers told Ars. Google has long said that a security feature known as Play Protect, previously called Verify Apps, will automatically remove malicious apps from affected phones. Many phones, however, are never disinfected, either because users have turned off the default feature or are using an old version of Android that doesn't support it, Check Point researchers told Ars. A full list of the affected apps is included in the Check Point report linked above. Google representatives didn't immediately have a comment for this post.

The researchers said they believe ExpensiveWall is spread by a software developer kit called gtk that developers embed into their own apps. It's not clear if individual developers knew of the malicious behavior their apps carried out. Google's continued inability to block malicious apps from Play is one of the biggest security liabilities hanging over the Android operating system. Android users should limit the apps they install on their devices. They should also carefully read user comments and examine requested permissions before installing an app. They should also ensure Play Protect is turned on by opening the Google Play app, choosing options, selecting the Play Protect tab, and making sure the protection is on. Those measures are by no means adequate for ensuring an installed app is trustworthy, but at the moment, that's the best assurance available.